Tag Archives: gps

Updates to GPS Utility (Timestamp Features)

Posted by on August 7, 2013 No comments

I decided to make some pretty solid changes to TrackerCat since my last post.  I wasn’t satisfied with it only converting GPX-to-KML. The new changes include the following:

  • Ability to recursively export all GPXs from a specified path (can be a mounted device image).
  • Extract and write all trackpoint timestamps to CSV  including archived files.  Optionally, you can choose to export Active Log names and times to its own CSV. While the latter isn’t as important to export as trackpoint times, it may still be useful to some.
  • Display a file’s metadata time tag during the timestamp dump. This is critical if the GPX file is the Current.gpx (akin to a last access, or rather, last power-on for some devices). These are not written to CSV as their importance differs depending on file and scenario.

To reduce spam, I’ll try to keep minor official updates to Twitter instead of posting here in the future . Hope the updates are useful!

newlogo

TrackerCat: GPX-to-KML Active Log Mapping Tool

Posted by on July 29, 2013 No comments

To supplement my GPS research, I created a simple tool for the extraction of Active Log data from GPX files. This tool will transform GPS device data files into keyhole markup language files for easy mapping (GPX to KML). The output can easily be opened in programs like Google Earth. This tool will provide analysts with a better understanding of data contained within GPXs and their Active Logs. The KMLs are complete with timestamps and trackpoint coordinates.

Prior to TrackerCat – and without the use of expensive utilities – analysts had to manually re-save exported GPX files as KMLs in mapping programs. TrackerCat automates the transformation process while striving to preserve as much forensic data as possible.

While the tool is really just a simple XML-to-XML XSLT transform script (that parses the appropriate formats), you can join the the project to improve its functionality! You can use the project’s Github to show off your own GPS device forensics scripts. Also be sure to check out the PowerPoint here.

Official Github Logo

Click on the Official GitHub logo above for TrackerCat’s reader-friendly GitHub landing page, or go right to the project’s GitHub.

Google Map Tiles: Forensics & IEF

Posted by on January 24, 2013 No comments

I stumbled upon something neat I thought I’d share with you all while playing around with a demo of Internet Evidence Finder by Magnet Forensics. It is essentially using a memory image to determine where an individual may have been based on his/her geolocation queries, crowd sourced GPS check-ins (using Google Maps), etc. by analyzing Google Map tiles.  Obviously, although IEF is known in the forensics community, I was impressed when using it for the first time.

I allowed IEF to carve web browser artifacts, chat sessions and Google map tile artifacts from a memory image (acquired via FTKi). Then had IEF map the coordinates from the tile file names and plot them across a world map (it is as simple as hitting “World Map” in the Report Viewer). You can also use Magnet’s free standalone GMTI (Google Maps Tile Investigator) to plot specified coordinates if you’ve pulled the artifacts using another method.

Although this is a known feature of the software, I found it incredibly impressive very useful. That you can do this directly from a memory image –  with the same amount of success as from a hard drive image – is pretty cool.

Using that information you can get a general sense of where an individual was by what map information he or she searched for using Google Maps.

memorytriangulation

You can begin to develop a hypothesis as to the location’s significance when you compare this information to other known facts within your investigation. Knowing this information can help you weigh the importance of a cluster of plots and determine whether they are significant.

Instructions and more information on Google Map tile forensics is available in a great post by Magnet on their blog: http://www.magnetforensics.com/investigating-google-maps-how-the-tiles-tell-all/

For more information on Magnet’s IEF see: http://www.magnetforensics.com/products/internet-evidence-finder/

Information on the standalone (free) GMTI can be found at this address: http://www.magnetforensics.com/google-maps-tile-investigator/